As everyone knows, cloud provider Nirvanix recently fell apart, declaring bankruptcy and leaving its customers in the lurch. Nirvanix gave enterprises less than a month to move their data to a new home. To avoid the fate of those customers, follow these best practices for safely moving data in and out of the cloud.
Due diligence: financials first
The Cloud Security Alliance’s February 2013 report, “The Notorious Nine: Cloud Computing Top Threats in 2013” has identified a lack of due diligence as a continuing threat to cloud computing. When enterprises do look into cloud providers, their view of things is a bit lopsided. “Cloud consumers place too much emphasis on information assurance and privacy, or focus on cost reduction and savings at the expense of investigating the financial health of candidate providers,” says John Howie, COO, the Cloud Security Alliance.
“Perceived profitability does not imply stability for a company or a service provider,” says Adam Gordon, CISO, New Horizons Computer Learning Centers; “the management strategies of a company can squander financial success overnight, driving profitability, the company and its partners over a cliff quickly if nobody is paying attention.”
Organizations should examine the financial status of the cloud provider. Enterprises can investigate public corporations by examining their regulatory filings such as a 10K through the SEC. “This will detail the cloud provider’s finances and self-identified risks,” says Howie.
“If possible, examine audited financials for at least the last two to three years,” says Gordon. These should demonstrate an overall positive trend in the growth and management of capital and the business bottom line, Gordon explains. “While it is realistic to see fluctuations and negative outcomes over a period of time, unless we are looking at the Amazons of the cloud services ecosystem, we should expect to see positive growth in revenue and profitability as well as expansion over a two to three year timeline,” says Gordon.
Financials should also demonstrate business management and business growth strategies that indicate a strong direction, long-term planning, sound risk management and the ability to weather crises while maintaining focus, clarifies Gordon, drilling down. “Investments that support a long-term strategy for growth and market share acquisition are important indicators of stability as well,” says Gordon.
Howie advises large enterprises to consider using a cloud broker to analyze their cloud computing requirements, determine their risk tolerance and select cloud providers that are a match for the enterprise. “Cloud brokers will examine providers’ overall financial health and determine the potential likelihood that a provider will withdraw service,” says Howie. The US National Institute of Standards and Technology (NIST) has produced Special Publication 500-292, which defines the role of a cloud broker.
A CIO or other C-level should be involved in the relationship with the cloud broker in order to forge the necessary strategic alignment necessary to derive value from the broker by driving and directing the consumption of cloud services, explains Gordon. “You can find real world practical examples of success with cloud brokers in the Government sector at the Federal and State levels. The state of Texas has been using a cloud brokerage model since 2011, as have many Federal agencies,” Gordon adds.
Preparing to leave: Contract language, cloud portability
“For organizations that do not have the resources to employ a cloud broker, the Cloud Security Alliance recommends that enterprises address the issue of discontinuation of service in the contract language,” says Howie. Contract clauses and provisions should ensure sufficient notice of termination of service and tools and assistance in moving data out of the cloud in a timely manner and in a format that enables the enterprise to use the data in another service, Howie explains.
According to Howie, cloud contract language can require many assurances including that the provider set aside money in an escrow account for third-party assistance in extracting the data. These agreements can also establish that storage and processing equipment must be accessible by the enterprise customer in case of business failure. The language can further include references to third-party warranties or insurance. Finally, Howie closes, the contract can compel the provider to disclose its financial situation on a quarterly basis with an option for the enterprise customer to break its contract if the financials show the provider is in trouble.
But, contract language will not be enough to mitigate using a private company or start-up cloud provider. Enterprises will have to weigh carefully whether they can justify the risk that such a company may suddenly stop offering the service. “Enterprises should always have an exit strategy in place as part of a business continuity management plan,” says Howie.
Domain 6 of the Cloud Security Alliance’s Security Guidance for Critical Areas of Focus in Cloud Computing V3 includes recommendations that enterprises consider a scenario for how they will move data out of the cloud provider’s service. “In section 6.2, An Introduction to Portability, we say portability is a key aspect to consider when selecting cloud providers. We specifically mention disaster recovery,” says Howie.
The business failure of a cloud provider is a business disaster and something that an enterprise’s business continuity management planning should cover. “Sections 6.3.2, Portability Recommendations and 6.3.3, Recommendations for Different Cloud Models provide specific, concrete guidance and high-level considerations,” says Howie, speaking of the Cloud Security Alliance’s aforementioned Security Guidance.
In Section 6.3.2, the Cloud Security Alliance’s Security Guidance recommends that enterprises be aware of the differing service and platform dependencies of different cloud architectures. When an enterprise’s applications and data are tied to and entangled in the dependencies existent in one platform, this can present technical challenges to moving to a provider using a different architecture.
Proprietary authentication technologies and identity management systems will impede portability of cloud data, applications and services to a cloud environment that does not use the same authentication and identification standards and vendors. By using an open standards IAM platform such as SAML, according to the Cloud Security Alliance’s Security Guidance, the enterprise can achieve portability of these mechanisms when moving to another cloud provider.
The Cloud Security Alliance further urges enterprises to maintain possession and control of encryption keys to ensure a secure and expedient exit from the existing cloud provider. Likewise, enterprises should take measures to ensure that it removes all metadata describing its data from the existing cloud provider when moving to a new cloud environment so that no opportunity for data compromise remains. These best practices are also contained in the Cloud Security Alliance’s Security Guidance. This Security Guidance provides detailed instructions for preparing for a safe move out of the cloud for each of the cloud models, in Section 6.3.3.
“An ounce of prevention is worth a pound of cure” — Benjamin Franklin
An enterprise can do everything necessary to ensure it can get its applications and data out of the cloud unscathed before it commits to moving in. This should steer an organization clear of a future Nirvanix and into a relationship with a cloud partner it can count on.